python-pillow/Pillow
1
1
Fork 0
mirror of https://github.com/python-pillow/Pillow.git synced 2025-11-04 09:57:43 +03:00
Code Issues Packages Projects Releases Wiki Activity

Fix Memory DOS in Icns, Ico and Blp Image Plugins

Browse Source 
Some container plugins that could contain images of other formats,
such as the ICNS format, did not properly check the reported size of
the contained image. These images could cause arbitrariliy large
memory allocations.

This is fixed for all locations where individual *ImageFile classes
are created without going through the usual Image.open method.
This commit is contained in:
Eric Soroos 2021-02-24 23:27:07 +01:00 committed by Andrew Murray
parent b511d704ae
commit 480f6819b5
5 changed files with 10 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
Tests/images/oom-8ed3316a4109213ca96fb8a256a0bfefdece1461.icns Normal file
View File

Binary file not shown.

6
Tests/test_file_icns.py
View File

@ -140,3 +140,9 @@ def test_not_an_icns_file():
with io.BytesIO(b"invalid\n") as fp: with io.BytesIO(b"invalid\n") as fp:
with pytest.raises(SyntaxError): with pytest.raises(SyntaxError):
IcnsImagePlugin.IcnsFile(fp) IcnsImagePlugin.IcnsFile(fp)
def test_icns_decompression_bomb():
with pytest.raises(Image.DecompressionBombError):
im = Image.open('Tests/images/oom-8ed3316a4109213ca96fb8a256a0bfefdece1461.icns')
im.load()

1
src/PIL/BlpImagePlugin.py
View File

@ -353,6 +353,7 @@ class BLP1Decoder(_BLPBaseDecoder):
data = jpeg_header + data data = jpeg_header + data
data = BytesIO(data) data = BytesIO(data)
image = JpegImageFile(data) image = JpegImageFile(data)
Image._decompression_bomb_check(image.size)
self.tile = image.tile # :/ self.tile = image.tile # :/
self.fd = image.fp self.fd = image.fp
self.mode = image.mode self.mode = image.mode

2
src/PIL/IcnsImagePlugin.py
View File

@ -105,6 +105,7 @@ def read_png_or_jpeg2000(fobj, start_length, size):
if sig[:8] == b"\x89PNG\x0d\x0a\x1a\x0a": if sig[:8] == b"\x89PNG\x0d\x0a\x1a\x0a":
fobj.seek(start) fobj.seek(start)
im = PngImagePlugin.PngImageFile(fobj) im = PngImagePlugin.PngImageFile(fobj)
Image._decompression_bomb_check(im.size)
return {"RGBA": im} return {"RGBA": im}
elif ( elif (
sig[:4] == b"\xff\x4f\xff\x51" sig[:4] == b"\xff\x4f\xff\x51"
@ -121,6 +122,7 @@ def read_png_or_jpeg2000(fobj, start_length, size):
jp2kstream = fobj.read(length) jp2kstream = fobj.read(length)
f = io.BytesIO(jp2kstream) f = io.BytesIO(jp2kstream)
im = Jpeg2KImagePlugin.Jpeg2KImageFile(f) im = Jpeg2KImagePlugin.Jpeg2KImageFile(f)
Image._decompression_bomb_check(im.size)
if im.mode != "RGBA": if im.mode != "RGBA":
im = im.convert("RGBA") im = im.convert("RGBA")
return {"RGBA": im} return {"RGBA": im}

1
src/PIL/IcoImagePlugin.py
View File

@ -178,6 +178,7 @@ class IcoFile:
if data[:8] == PngImagePlugin._MAGIC: if data[:8] == PngImagePlugin._MAGIC:
# png frame # png frame
im = PngImagePlugin.PngImageFile(self.buf) im = PngImagePlugin.PngImageFile(self.buf)
Image._decompression_bomb_check(im.size)
else: else:
# XOR + AND mask bmp frame # XOR + AND mask bmp frame
im = BmpImagePlugin.DibImageFile(self.buf) im = BmpImagePlugin.DibImageFile(self.buf)